On May 25th, the much-anticipated European Union General Data Protection Regulation (GDPR) became fully enforceable. In the week before it did, and after months of community engagement across multiple stakeholder groups, the ICANN Board voted to approve its first-ever Temporary Specification in order to amend its established WHOIS policies to be compliant with the law and to ensure the continued availability of the WHOIS system to the greatest extent possible. The Temporary Specification for gTLD Registration Data went into effect on May 25th and now governs how and what domain registration information Registry Operators and Registrars collect, use, publish, and retain, impacting brands that have come to depend on this same information for effective brand enforcement.
Key Elements of the Temporary Specification
The ICANN Board officially approved the Temporary Specification for gTLD Registration Data on Thursday, May 17th, following a Board vote during the GDD Summit. The Temporary Specification has now replaced certain provisions of ICANN’s contracted parties respective agreements temporarily and is the vehicle with which ICANN has begun to and will continue to enforce Registry Operators’ and Registrars’ contractual obligations with respect to registration data. While there are still some open items, the Temporary Specification represents ICANN’s first decisive action in the face of the new law. Key elements include:
- WHOIS Data Collection – Registry Operators and Registrars are required to continue to collect the full thick WHOIS data, which includes all of the Registrant/Tech/Admin contact details. They are also required to continue to transfer the full thick WHOIS data to the relevant Data Escrow agents. This will preserve the existence of the WHOIS database, and ICANN expects to enforce compliance with this element strictly.
- Publication of WHOIS Data – Registry Operators and Registrars may globally redact any personally identifiable information from their public WHOIS outputs. Under the Temporary Specification, the publicly available WHOIS output will include information corresponding to Domain Name, Name Servers, Registrant Organization (where applicable), and Registrant City and State. Other key fields, such as Registrant/Tech/Admin Name, Email, Phone, Fax, and Street Address will remain but the display output will read “Redacted for Privacy.”
- Contacting Registrants – Registrars are expected to develop anonymized web forms or email addresses for their registrants so that interested third parties may still contact the owner of a domain. This is a significant departure from ICANN’s proposed model, which initially placed this responsibility with ICANN.
- Requesting WHOIS Information – Requests for access to the full thick WHOIS data must be made through the relevant Registrar, who in turn is expected to provide the requested information if it determines such a request has a legitimate purpose.
- Implementation of RDAP – All Registry Operators and Registrars are required to operate a Registration Data Access Protocol (RDAP) service. The RDAP profiles will be established by ICANN on July 31st, after which ICANN will give notice to implement the program. Registry Operators and Registrars will have 135 days from that notice to comply.
- Dispute Resolution – Registry Operators and Registrars are required to provide URS and/or UDRP providers with the relevant full registration data upon notification of a complaint.
- Accreditation – There currently is not an accreditation program in place for third party access to the redacted WHOIS information. ICANN has emphasized the importance of eventually developing one, but there is no clear timeline.
By design, the Temporary Specification may only remain in effect and enforceable for a maximum of 1 year, with mandatory votes for renewal every 90 days. ICANN and the community are in the process of engaging in policy development processes to ensure that a temporary solution is ready to go by the time the Temporary Specification expires next year.
Impact on Brand Owners
While the Temporary Specification most significantly impacts Registry Operators and Registrars operating in the domain industry, brands will also be impacted:
- Brand Monitoring & Enforcement – Much of brand owners’ independent monitoring and enforcement work will be impacted by the new registration data requirements put forth in the Temporary Specification:
- Contacting Registrants – One of the biggest changes arising from the Temporary Specification will be its effect on brands’ efforts to take down and recover third-party infringing domains. Without the publicly available information in WHOIS, brand owners will no longer be able to quickly and independently contact the domain name owner with a demand letter, nor will they be able to negotiate good faith agreements as easily. While Registrars are still contractually required to respond to requests for full WHOIS information if there is a legitimate reason, this process will be slower and may necessitate a legal filing.
- Identifying Patterns of Abuse – What’s more, it will be significantly harder to ascertain if the owner of the domain in question is a repeat offender with a history of malicious behavior. Specifically, it will be almost impossible to identify other domains owned by the same third-party.
- Contractual Requirements – Specifically to .BRAND owners and other corporate TLD operators, the Temporary Specification formally replaces the existing provisions in the Registry Agreement, meaning that those contracts have now changed. Additionally, Registry Operators and Registrars must comply with the provisions of the Temporary Specification with regards to Data Processing.
- WHOIS Information for Corporate Domains – As all Registrars are required to provide registrants the option to publish full, thick WHOIS information, brand owners should receive the option from their respective Registrar(s) if they prefer to mask or unmask their WHOIS information that is used for any of their registered domains. If this WHOIS information is that of a legal entity, then the brand owner should have no concerns leaving its WHOIS information unmasked.
In sum, the arrival of GDPR on May 25th will continue to impact brand owners for the foreseeable future. As it stands, there are no anonymized emails in place and there is no standard procedure for handling requests for access. With time, the anonymized contact forms and the accreditation program will be rolled out and WHOIS should help with enforcement efforts again. Still, the new system will not return to how WHOIS was in the past, and there will be inevitable periods of adjustment, as everyone grows accustomed to the new status quo.
ICANN’s Temporary Specification, while a positive step for the organization, has already met resistance from Registry Operators and Registrars. While ICANN is actively working to implement the last outstanding items connected to the Temporary Specification, ICANN has begun to enforce Registry Operators and Registrars’ compliance with the Temporary Specification to ensure the continued existence of WHOIS. Many moving pieces remain, and while the Temporary Specification outlines a WHOIS for the future that looks one way, this could very well change many more times before it becomes set.